Unable to install plugins from online source nu.novell.com on OES

  • 7021183
  • 04-Aug-2017
  • 09-Aug-2017

Environment

iManager 2.7.X
OES 2015
OES 11

Situation

When attempting to install plugins from Novell Downloads (nu.novell.com), plugin install never progresses or completes.

/var/opt/novell/tomcat6/logs/catalina.out file shows the following error:

NetIQ JClient 2.08.0503-2.8.503. (c) 2013 NetIQ Corporation and its affiliates. All Rights Reserved.
DownloadAndInstall..124 com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
 cause is: 
                                java.security.cert.CertPathValidatorException: 
The certificate issued by CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  is not trusted; internal cause is: 
        java.security.cert.CertPathValidatorException: Certificate chaining error



Resolution

Download the certificate specified in the catalina.out file from https://www.digicert.com/digicert-root-certificates.htm

For example:

DigiCert Global Root CA
DigiCert High Assurance EV Root CA

Copy the downloaded certificate to the OES server.  For this example, the certificate was saved as: DigiCertHighAssuranceEVRootCA.crt

Install the certificate into the cacerts file used by iManager using the following command:

keytool -import -alias DigiCert -file /tmp/DigiCertHighAssuranceEVRootCA.crt -keystore /var/opt/novell/tomcat6/conf/cacerts

When prompted:  Trust this certificate? [no]:   Type:  yes  then press enter

When prompted:  Enter keystore password:  Type: changeit

Restart iManager:  rcnovell-tomcat6 restart

Cause

The root CA for the DigiCert certificate used by nu.novell.com has not been imported into the certificate store file </var/opt/novell/tomcat6/conf/cacerts> on OES.

Importing the certificate will allow java to trust the certificate used by nu.novell.com and download the npms for installation.

Additional Information

Note:  Adding the DigiCert High Assurance EV Root CA certificate will cause all certificates issued by this CA to be trusted.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.